- A leaked DPRK payment server revealed over US$3.5 million in crypto processed since late November 2025, averaging roughly US$1 million per month across 390 accounts tied to forged identities.
- The platform listed three OFAC-sanctioned entities, with workers using fake documents, Chinese bank accounts, and Payoneer to convert crypto to fiat.
- ZachXBT characterised the group as less sophisticated than elite DPRK units like Applejeus, but noted that state-backed actors have stolen an estimated US$7 billion from crypto platforms since 2009.
The crypto community’s most popular on-chain sleuth, ZachXBT, recently published an 11-part thread detailing a leak from an internal North Korean payment system, showing more than US$3.5 million (AU$5.08 million) in crypto-to-fiat transactions processed since late November 2025.
The data came from a compromised device infected with infostealer malware. An unnamed source provided the files, which had not been publicly released. The dataset includes around 390 accounts, internal messages, fake identities, browser histories, and crypto transaction records.
The system, hosted on luckyguys.site and referred to internally as WebMsg, functioned as a messaging platform where IT workers reported payments.
At least ten accounts still used the default password “123456.” User records included Korean names, locations, and coded group labels linked to known North Korean operations.
Read more: Bitcoin Bullish Shift Gains Momentum as Iran Ceasefire Eases Market Tensions
Inside the Payment Pipeline
Three entities listed on the platform, Sobaeksu, Saenal, and Songkwang, are under US Treasury sanctions. A central admin account, identified as PC-1234, confirmed payments and issued login credentials for crypto exchanges and financial platforms.
The records show workers earning about US$1 million (AU$1.45 million) per month by securing remote developer roles using fake identities and forged documents. Funds were either sent directly from crypto exchanges or converted to fiat through Chinese bank accounts using services such as Payoneer.
Blockchain data links several addresses in the dataset to known North Korean clusters, including wallets later frozen by Tether in December 2025.
Same Patterns And Network
ZachXBT identified 33 individuals operating within the same network between December 2025 and February 2026. Internal logs include discussions about targeting a GalaChain-based game called Arcano, with references to using a Nigerian proxy.
The dataset also shows distribution of 43 training modules for Hex-Rays and IDA Pro, tools used for reverse engineering and exploit development. These materials covered disassembly, debugging, and code analysis.
ZachXBT said the group appears less advanced than known North Korean units such as Applejeus and Tradertraitor, but remains active due to lower risk and limited competition.
North Korean-linked actors have stolen about US$7 billion (AU$10.15 billion) in crypto since 2009, including US$1.4 billion (AU$2.03 billion) from Bybit and US$625 million (AU$906.25 million) from the Ronin bridge.
The luckyguys.site domain went offline one day after the findings were published.
Read more: Bitcoin ETFs See $471M Inflow Surge as BlackRock’s IBIT Leads
Credit: Source link
